Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Published byCathleen Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

2 Today ARP in a nutshell ARP Poisoning Ping reflection (smurf attack) MAC Flooding Detecting promiscuous hosts Ping / traceroute using other protocols Firewalking

3 ARP in a Nutshell ARP = Address Resolution Protocol A bridge between IP and Ethernet, which helps make a local network “work” Most important functionality – translate IP addresses to MAC addresses so we can actually send packets! Two major messages – o ARP request – “Who is at 192.168.1.1?” o ARP reply – “192.168.1.1 is at A1:B2:C3:D4:E5:F6”

4 ARP Poisoning To avoid making an ARP request before sending every IP packet, each host has a local cache. Another trick to avoid excessive ARP requests, is that every host will send a broadcast ARP reply when it comes online / every interval, to let everyone know its MAC address (known as “Gratuitous ARP”) Most implementations are state-less by design, and will happily store ARP replies even if they didn’t issue a request (for reasons stated above) Result – everyone on the local network can impersonate any other host, by sending a malicious ARP reply in their name.

5 ARP Poisoning Attack scenario – Diagram Copyright: http://gm.kochar.com/post/WEB-SPOOFING.aspxhttp://gm.kochar.com/post/WEB-SPOOFING.aspx

6 Ping Reflection (“smurf attack”) We want to DoS a host, but we’re not fast enough… So we’ll get everyone else to join! Basic concept – send a ping request to everyone, but put the target’s IP address in the source of the packet. Result - everyone will send a reply to the target, effectively DDoSing it. Diagram copyright: http://onlinehelp.avs4you.com/AVS- Firewall/Introduction/NetworkAttacks.aspx

7 No more sniffing… It used to be easy to sniff traffic on the local network All traffic went to everyone behind the same router on a HUB based network Now – switches galore! We still need to sniff traffic… Enter MAC Flooding

8 Switches 101 Switches know where to route packets by learning which MAC addresses are connected to which port This is done by seeing which source MACs appear on which ports, and storing this information in a fast look-up table (CAM) This table has to be very fast, so it must be limited in size. This is not an issue, since It is highly unlikely to run more than a few 100’s / 1000’s of hosts on the same layer-2 network due to other reasons.

9 MAC Flooding We’re on a network, but that network uses switches, so we can’t sniff anything interesting… Or can we? What happens if we send out packets with different source MAC addresses? Will the switch refuse to learn new addresses? No! it will just fail-over to operating like a hub – a ‘dumb’ repeater Image Copyright: http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/

10 Promiscuous mode Normally, the network card will listen to every incoming packet, and discard any packet whose destination MAC address is not its own. When someone is running a sniffer, they’ll want to capture as much information as possible about the network. Network cards can support this by going into what’s called “Promiscuous mode” – where every packet received is sent to the OS for further processing.

11 Detecting Promiscuous Hosts We want to detect if someone on our network is using a sniffer in promiscuous mode. The trick – Send out a ping request with the wrong destination MAC address, but the right IP target (or broadcast). Regular hosts will discard the packet, but anyone in promiscuous mode will reply, since the IP target was valid

12 Ping / Tracerout Using Different Protocols Let’s assume TCP SYN / ICMP Echo requests are monitored / blocked but you still want to know if a host is up, and/or what are the network elements between you and the target (traceroute) ARP Ping – o Send an ARP request for a host on the same subnet(can even use broadcast) o If you get a reply – that host is alive TCP Port Scan – o Instead of using a SYN packet, use a TCP data packet, and listen for an RST packet

13 Ping / Tracerout Using Different Protocols UDP traceroute – o You already found out that the host will send you an ICMP Port Unreachable message when you send a UDP datagram to a certain closed port o But you want to find all the elements in the way o Solution – send and resend the packet, each time with different IP TTL o You will get ICMP errors from many intermediate hosts TCP traceroute – o Same as UDP, and can use SYN on an known open port, arbitrary data packet on a known open port, or data on a known closed port Basically – most services could be used for traceroute / ping given the right scenario

14 Firewalking We want to learn which ports/subnets are filtered If there is a rule to drop a packet, we’ll get no reply If the packets can reach past the firewall, we still need to get everything else valid… Solution – use TTL! Set packets to TTL of the FW + 1 If we get an ICMP error packet (TTL exceeded) – our packet got through!

15 This week’s exercise Implement some of these techniques Be careful about affecting your network Don’t abuse on other networks – you are responsible for any damage you create

16 Questions?

17 Extra IPv6 – o DHCP  RA o ARP  NDP o Interop / transition – Dual stack Tunneling VLAN Hopping o Switch / trunk spoofing o Double encapsulation Spanning Tree takeover DNS Poisoning

Download ppt "Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)

1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Examining IP Header Fields

Examining IP Header Fields
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Similar presentations

Ads by Google